Make WordPress Core

Changeset 24876 for branches/3.6


Ignore:
Timestamp:
07/29/2013 06:18:58 PM (11 years ago)
Author:
duck_
Message:

Fix potential SQLi through improper use of API functions. For 3.6.

Location:
branches/3.6
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.6

  • branches/3.6/wp-admin/includes/ms.php

    r24245 r24876  
    372372        _deprecated_argument( __FUNCTION__, '3.1' );
    373373
    374     $wpdb->update( $wpdb->users, array( $pref => $value ), array( 'ID' => $id ) );
     374    $wpdb->update( $wpdb->users, array( sanitize_key( $pref ) => $value ), array( 'ID' => $id ) );
    375375
    376376    $user = new WP_User( $id );
  • branches/3.6/wp-includes/bookmark.php

    r21829 r24876  
    187187
    188188    if ( ! empty($search) ) {
    189         $search = like_escape($search);
     189        $search = esc_sql( like_escape( $search ) );
    190190        $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
    191191    }
Note: See TracChangeset for help on using the changeset viewer.